Goner worm spreads, tries to delete firewalls

A new high-risk worm, called 'Goner,' which attempts to delete a number of program files on infected computers, including firewall applications, is spreading quickly, according to a number of antivirus firms.

          A new high-risk worm, called "Goner," which attempts to delete a number of program files on infected computers, including firewall applications, is spreading quickly, according to a number of antivirus firms.

          The worm spreads by way of an attachment sent to users of Microsoft's email programs Microsoft Outlook and Outlook Express, and, in a change from the usual worm formula, also through the chat application ICQ, according to vendors of antivirus products including McAfee.com, Computer Associates International and Trend Micro. Goner does not exploit any security vulnerabilities like the recent Badtrans worm, but instead must have its attachment double-clicked in order to be launched, says April Goostree, virus research manager at McAfee.com.

          Goner appears in user's in-boxes as an email with the subject line "Hi." The body of the message reads, "How are you ? When I saw this screen saver, I immediately thought about you ... I am in a harry [sic], I promise you will love it!" The mail also includes an attachment called Gone.SCR, which appears to be a screensaver.

          When the attachment is double-clicked, the worm sends itself to everyone listed in the victim computer's address book, the antivirus companies say. Goner also tries to spread through the ICQ chat program, sending a copy of itself to all online users, Trend Micro says on its website. The worm installs a backdoor program that is activated whenever the mIRC chat application is launched and that can be used in Denial of Service attacks, Trend Micro said. After double-clicking on the attachment, a window also pops up, which includes credits for the virus' writer and its testers.

          After launch, Goner attempts to locate and delete a number of programs, including security programs like Zone Labs's ZoneAlarm firewall application, McAfee.com's Goostree says. Other files it attempts to delete include antivirus programs from Symantec and Kaspersky Labs , and security applications from Lockdown and SafeWeb, according to both McAfee.com and Trend Micro.

          The number of users infected with Goner is already "very, very large," Goostree says, although she did not have an exact number available.

          "I would imagine you're going to see corporations shutting down their mail servers" to deal with the worm, she says.

          Users are advised to update their virus definitions, visit the website of their antivirus provider and not open unexpected attachments.

Join the newsletter!

Error: Please check your email address.

Tags goner

More about CA TechnologiesComputer Associates InternationalICQKasperskyMcAfee AustraliaMcAfee.comMicrosoftSafeWebSymantecTrend Micro AustraliaZone Labs

Show Comments
[]